NINJIO: Cybercriminals Are Targeting Legal Sector
New report from human risk management leader NINJIO exposes the evolving threat landscape in the legal sector, and what firms must do to defend them.

Cybercriminals are waging a relentless assault on the legal sector and many law firms are dangerously unprepared, according to a new report from cybersecurity awareness training and human risk management company NINJIO. Titled “Law and Disorder: How Cybercriminals Are Attacking the Legal Sector and What Can Be Done to Stop Them,” the NINJIO report reveals how cybercriminals are exploiting legal professionals, associations, and third parties and how they often use Artificial Intelligence (AI)-powered social engineering and phishing tactics.
The legal industry’s access to sensitive data—including intellectual property, M&A details, and client communications—makes it a prime target. The report details recent breaches at top-tier firms like Orrick and Gunster and exposes how hackers infiltrate the legal ecosystem through third-party vulnerabilities, malware disguised as legal documents, and business email compromise (BEC) schemes.
“Law firms aren’t isolated fortresses, they’re connected hubs of valuable information,” says Matt Lindley, Chief Innovation and Information Security Officer at NINJIO. “That makes the legal supply chain an attractive target. As AI-powered phishing becomes more sophisticated, security strategies must evolve fast.”
Joshua Ray, Founder of cybersecurity firm Blackwire Labs and a former US Department of Defence cybersecurity expert, adds: “Law firms are now high-value nodes in broader threat campaigns. Attackers are no longer opportunistic—they’re launching targeted, multimillion-dollar operations that exploit specific legal industry vulnerabilities.”
Key Findings of NINJIO Study
- 29% of law firms experienced a breach in 2023, and 60% of large firms did not know if they had.
- Artificial Intelligence is revolutionising social engineering, allowing attackers to impersonate clients, courts, and regulators with near-perfect legal language.
- Third-party breaches are surging, with supply chain attacks up 68% from 2023 to 2024.
- Cybercriminals are using malware platforms to trick lawyers into downloading fake legal documents.
Lindley asserts: “Traditional defences are no longer enough. Law firms must take the human element seriously. In the AI era, training that mirrors real-world attack scenarios isn’t just helpful—it’s essential.”
NINJIO’s Call to Action
To defend against this rapidly evolving threat landscape, the company urges legal organisations to:
- Conduct continuous cybersecurity risk assessments and third-party audits.
- Build a robust incident response plan (only one-third of law firms have one).
- Deploy relevant, personalised, and engaging cybersecurity awareness training across all roles, from senior partners to support staff.
Download the Full Report by visiting NINJIO’s website.